How to Configure a Site, Domain, or Organizational Unit to Prevent Users from Changing Passwords Unless Prompted
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
Click the Group Policy tab.
Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
Click Ctrl+Alt+Del Options.
In the right pane, double-click Remove Change Password.
Click Enabled, and then click OK.
Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
Click Start, and then click Run.
Type cmd in the Open box, and then click OK.
At the command prompt, type the following line, and then press ENTER:
gpupdate /target:user /force
Type exit to close the command prompt.
NOTE: By default, policies that are applied to either users or computers at the domain level will apply to all users and all computers in the domain. By default, the application of a policy to organization units will apply to all user accounts and machine accounts that reside in that organization unit, and to any suborganizational unit that may exist. A user account must either be moved into, or be created in, that organization unit for it to apply. If you just add security groups that a user may be a member of to an organization unit, this will not apply the policy to that user.
Or you can write a PowerShell script which changes the User Can Change Password flag from true to false for all the users.